Iranian global cyber espionage campaign exposed

Check Point Software Technologies Ltd. on Monday published a 38-pagereport identifying specific details and broad analysis on cyber-espionage activity conducted by the group “Rocket Kitten,” with possible ties to Iranian Revolutionary Guard Corps. The new report also reveals details of the group’s global operations and insight into more than 1,600 of their targets.

Led by researchers in Check Point’s Threat Intelligence and Research Area, the report’s new data paints a picture of strategic malware attacks supported by persistent spear phishing campaigns. The details show Rocket Kitten actively targeted individuals and organizations in the Middle East, as well as across Europe and in the United States. Check Points says that the report documents specifics such as:

  • Business and government sectors across Saudi Arabia, including news agencies and journalists; academic institutions and scholars; human rights activists; military generals; and members of the Saudi royal family.
  • Embassies, diplomats, military attachés and “persons of interest” across Afghanistan, Turkey, Qatar, United Arab Emirates, Iraq, Kuwait and Yemen, as well as NATO commands in the region.
  • Dozens of Iran researchers, as well as European Union Iran research groups, specifically in the fields of foreign policy, national security and nuclear energy.
  • Venezuelan trade and finance targets.
  • Former Iranian citizens of various influential positions.
  • Islamic and anti-Islamic preachers and groups; famous columnists and cartoonists; TV show hosts; political parties; and government officials.

The researchers were also able to trace and unmask the true identity of an aliased attacker, identified as “Wool3n.H4T,” as one of the prominent figures behind this campaign. Further, based on the nature of the attacks and associated repercussions, the report suggests Rocket Kitten’s motives were aligned with nation-state intelligence interests, aimed at extracting sensitive information from their targets.

“This research provides a rare look at the nature and global targets of a global cyber espionage group,” said Shahar Tal, Research Group Manager at Check Point. “While Check Point customers are protected against all known variants of these threats by Rocket Kitten, it is our hope fellow security vendors and malware research professionals take the proper precautions and deploy relevant protections.”

The analysis by Check Point show that most of Rocket Kitten’s attacks were directed at Saudi targets (18 percent of the total number of attacks), followed by U.S. targets (17 percent), internal Iranian targets (16 percent), the Netherlands (8 percent), Israel (5 percent), Georgia (5 percent), and Turkey 3 percent).

Tal told Ha’aretz that Check Point estimates that 26 percent of the attacks were successful.

Rocket Kitten’s hacking activities have already been noticed by other cybersecurity firms, including Trend Micro and Clear Sky. Check Point began following the group after one of Check point’s clients was attacked.

Check Point’s experts were not impressed with the quality and sophistication of the programmers who work for Rocket Kitten. “From the perspective of information security, [Rocket Kitten’s hacking] was amateurish,” Tal said. He noted that the group’s use of cryptography was ‘we3ak to non-existent,” adding that “the tools and methods they employed were very limited relative to those used in the West. But it works. If you send someone who does know much [about hacking] an .exe file and he clicks on it, there is no for more than that.”

The report offers examples of the amateurish quality of the Rocket Kitten hackers. In one case, the hackers managed to infect their own computers with the malware they had developed. Their testing of the malware was so successful, that they could not remove the files containing the virus from their computers.

— Read more in Rocket Kitten: A Campaign With 9 Lives (Check point Research Team, 9 November 2015)

No Comments Yet

Leave a Reply

Your email address will not be published.